-
Notifications
You must be signed in to change notification settings - Fork 571
[User Guide] Upgrade from v3.3.0 to v4.0.0
The v4.0.0
release is predominantly a policy refresh release that brings the latest policy changes from the upstream reference.
- Support for version 3.54.0 of the
azurerm
provider. This is a breaking change and will require updates to your calling module. - Upstream policy definition and assignment updates have now been included in this module. Full details of the policy updates can be found here.
- Support for policy assignment overrides as per these docs.
- Azure Firewall Basic
- Policy Enforcement Mode control for built-in archetypes
The policy initiative Enforce-EncryptTransit
has reduced some parameters and will therefore need to be either manually deleted (with any assignments), or the resource (and any assignments) will need to be tainted to force a redeployment with the new module version.
To taint the resources, run the following commands:
# Taint the definintion
terraform taint 'module.<MODULE_REFERENCE>.azurerm_policy_set_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/<YOUR_ROOT_MG>/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit"]'
# Taint the assignment
terraform taint 'module.<MODULE_REFERENCE>.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/<YOUR_LANDING_ZONES_MG>/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"]'
If you want to use the v3.3.0 version of policies, you can add the following files as per these docs:
{
"extend_es_corp": {
"policy_assignments": [
"Deny-DataB-Pip",
"Deny-DataB-Sku",
"Deny-DataB-Vnet"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_corp": {
"policy_assignments": [
"Audit-PeDnsZones",
"Deny-HybridNetworking",
"Deny-Public-IP-On-NIC",
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_decommissioned": {
"policy_assignments": [
"Enforce-ALZ-Decomm"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"extend_es_identity": {
"policy_assignments": [
"Deny-RDP-From-Internet"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_identity": {
"policy_assignments": [
"Deny-MgmtPorts-Internet"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"extend_es_landing_zones": {
"policy_assignments": [
"Deny-RDP-From-Internet",
"Deploy-SQL-DB-Auditing"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_landing_zones": {
"policy_assignments": [
"Audit-AppGW-WAF",
"Deny-MgmtPorts-Internet",
"Deploy-AzSqlDb-Auditing",
"Enforce-GR-KeyVault"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_platform": {
"policy_assignments": [
"Deny-MgmtPorts-Internet",
"Deny-Subnet-Without-Nsg",
"Deploy-Log-Analytics",
"Deploy-VM-Backup"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_root": {
"policy_assignments": [
"Audit-UnusedResources",
"Deny-Classic-Resources",
"Deny-UnmanagedDisk",
"Deploy-MDEndpoints",
"Deploy-MDFC-OssDb",
"Deploy-MDFC-SqlAtp",
"Enforce-ACSB"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
{
"exclude_es_sandboxes": {
"policy_assignments": [
"Enforce-ALZ-Sandbox"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
There are no bug fixes in this release, it is just a policy refresh release.
Full Changelog: v3.3.0...v4.0.0
Take a look at the latest User Guide documentation and our Examples to understand the latest module configuration options, and review your implementation against the changes documented on this page.
If you're running into problems with the upgrade, please let us know via the GitHub Issues. We will do our best to point you in the right direction.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing